Info Gov

Police Scotland has been fined £66,000 and issued with a formal reprimand after the UK Information Commissioner’s Office (ICO) found the force guilty of serious failures in the handling of highly sensitive personal data.

The investigation centred on the force’s extraction of the 'entire' contents of an individual’s mobile phone after they reported an alleged crime. According to the ICO, Police Scotland failed to put in place adequate safeguards to limit access to information irrelevant to the inquiry. As a result, officers collected “a substantial volume of highly sensitive information,” much of which had no bearing on the matter under investigation.

The situation was further exacerbated when the unredacted phone data was later included in a misconduct disclosure bundle and shared with a third party who should not have received it. The ICO said the disclosure occurred because “appropriate review, redaction and security procedures were not in place,” and staff lacked the necessary guidance and organisational controls to handle such data safely.

The complainant is a police detective, Det Con Lianne Gilbert, who made a complaint of domestic abuse, including serious sexual assault, against another officer in 2020 and has since waived her right to anonymity. In the course of a misconduct inquiry into the allegations two years later, data - including intimate images and medical records - taken from her phone was given to the accused officer, his lawyer and his Scottish Police Federation (SPF) representative.

Gilbert told BBC Scotland that she was only made aware that her data had been breached in June 2022 when she was called by the Scottish Police Federation offering support. "It's been absolutely horrific and very, very traumatic" she told the BBC. "At the time it happened I had a five-month-old baby. It's really impacted my motherhood journey. At times I still feel quite numb. I felt relieved to see they had been fined and that it has been dealt with seriously because I'm aware its not common practice to fine a public body. Although they have apologised its not an apology I have ever accepted. I don't think it's good enough."

The detective believed that Police Scotland had notified the ICO over the incident but when she later contacted the watchdog some months later, she learned that the breach had never officially notified to the ICO.

The regulator concluded that Police Scotland had failed to:

  • Implement appropriate organisational and technical measures to ensure data security
  • Limit the sharing of personal information to what was strictly necessary
  • Ensure staff handling sensitive information followed clear guidance and procedures
  • Report the data breach within the legally required 72‑hour period

Sally-Anne Poole, the ICO’s Head of Investigations, described the incident as a stark example of the “devastating consequences of poor data protection practices.”

“Police Scotland failed in its obligation to safeguard the personal information of someone who had reached out to them for help,” she said. “Instead, they exposed them to further risk and distress by disclosing highly sensitive information to a third party.”

Poole added that people should be able to trust organisations - especially law enforcement - to treat their data “with care, fairness and respect,” warning that failure to do so will result in enforcement action.

The ICO said it took into account the seriousness of the breach, the sensitivity of the data involved and the impact on the affected individual when calculating the £66,000penalty. The regulator also applied a reduction to the fine to avoid causing disproportionate harm to public services, given Police Scotland’s status as a public body.

Deputy Chief Constable Alan Speirs of Police Scotland apologised for incident, saying: "Police Scotland has taken organisational learning from this incident.

"Substantive steps have already been made to strengthen our processes for handling personal data, improving training and support for staff, as well as increasing oversight to reduce the risk of something similar happening in the future."


Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800